Common vulnerability markup language

Abstract

Discovering, disclosing, and patching vulnerabilities in computer systems play a key role in the security area, but now vulnerability information from different sources is usually ambiguous text-based description that can't be efficiently shared and used in automated process. After explaining a model of vulnerability life cycle, this paper presents an XML-based common vulnerability markup language (CVML) describing vulnerabilities in a more structural way. Besides regular information contained in most of current vulnerability databases, information about classification, evaluation, checking existence and attack generation is also given in CVML. So it supports automated vulnerability assessment and remedy. A prototype of automated vulnerability management architecture based on CVML has been implemented. More manageable vulnerability databases will be built; promulgating and sharing of vulnerability knowledge will be easier; comparison and fusion of vulnerability information from different sources will be more efficient; moreover automated scanning and patching of vulnerabilities will lead to self-managing systems. © Springer-Verlag Berlin Heidelberg 2003.